ER: Devs running WSL Ubuntu cannot run docker-compose up

[roslynwythe]

See comment below #5647 (comment) for instructions for how to resolve ER

Emergent Requirement - Problem

Several new devs running WSL Ubuntu have been blocked by permission errors when running docker-compose up

Issue you discovered this emergent requirement in

see Slack thread copied into #5647 (comment)

Did you have to do something temporarily

• YES - we have to keep fielding slack messages
• NO

Who was involved

@freaky4wrld @jaasonw @klei0229 Matt Pereira

What happens if this is not addressed

Potential contributors may become frustrated and quit Hack for LA

Resources

see comment by @klei0229 #5219 (comment)
see #5647 (comment)
also see other comments in this issue

Recommended Action Items

• Make a new issue
• Discuss with team
• Let a Team Lead know

Potential solutions [draft]

Create an issue to add to the contributing.md file with instructions for how to find your version of Go.

Fang says here #5647 (comment) Anything less than 1.20 has a problem.

[freaky4wrld]

Maybe the situation might differ as the above mentioned solution is not perfect @klei0229 was able to resolve using this approach, and for me it's different like the issue that I have seen is my host machine UID: 1000 but for my Docker Container it's 0. I'm still stuck with this issue and trying to find out the solution to run the site locally.

My Docker Container's UID

My host machine UID

[roslynwythe]

The original Slack thread:

Freaky Wrld
I've been trying to complete my prework checklist and got stuck while hosting the site locally through docker can anybody point out to me where to look for solution...... refer the below screenshot, my current working directory is website, I'm trying to execute the docker-compose up command and the Docker Desktop is running...... what I'm doing wrong here, I looked up here for the solution, but it turned out my current UID is already 1000, but still I tried to provide the environment variables in the docker-compose.yml file, and found that's not working either.
4 files

Screenshot from 2023-09-29 13-50-03.png

Screenshot from 2023-09-29 14-02-32.png

Screenshot from 2023-09-29 14-05-44.png

Screenshot from 2023-09-29 14-06-27.png

Stack OverflowStack Overflow
Unable to build cloned Jekyll site - jekyll 3.8.5 | Error: Permission denied @ dir_s_mkdir - /srv/jekyll/_site

Freaky Wrld
1 month ago
Btw I'm on Ubuntu 22.04.3

Fang
1 month ago
Do you have docker installed as rootless?

Fang
1 month ago
The image sets up a non-root user to run the server and docker rootless config doesn’t support that.

Fang
1 month ago
Either use podman for rootless or run docker server as root.

Fang
1 month ago
I’m running my docker daemon rootless so I’m aware of the issue. (edited)

Freaky Wrld
1 month ago
I don't have any knowledge about docker, installed it following the documentation

Fang
1 month ago
Oh, then it’s probably a different issue.

Roslyn Wythe
1 month ago
@Fang
I'm curious why do you run docker daemon rootless?

Fang
1 month ago
@Roslyn Wythe
Seems like I'm the only one here that does this so maybe it's not that important to do or it's not yet standard practice. I think it's pretty safe for the website team's ghpages docker image to run on a docker daemon running as root. But here's the motivation for running it rootless, but actual usage can be complicated depending on the image being used.
It’s supposedly safer for running docker containers, because it's possible for a compromised container to compromise the host machine running docker as root. Docker has protections against that (seccomp filters out admin-level syscalls, AppArmor does something too) but running the whole thing as a limited user is a more certain guarantee. Here's the explanation for it from an organization dedicated to web security. Here's docker's docs on security with a page on rootless docker.
But here's the problem with rootless: Docker's rootless mode only supports running as root inside the container because that's what it assumes. It has issues with file permissions when running containers as a non-root user (rootless image) like the ghpage image the website team uses does. The rootless image is a safety measure to limit the chances of running something in the container that will compromise the host running a rootful docker daemon. So I think it's still pretty safe to run the ghpages image with a rootful docker daemon.
It's confusing because the rootless daemon doesn't support rootless images, so you have to choose one or the other. Some software provide docker images that run as root and non-root, which is a way to satisfy both camps.
It's enough hassle to run security-minded images that at some point I'm planning to switch back to the rootful docker daemon if podman doesn't work well. Podman is supposed to be a drop-in replacement for docker to run docker containers, only it's daemon-less and has better user-mapping support than docker. It should work according to this comment.

[roslynwythe]

Thank you @fyliu. I'll try to locate other Hfla developers who are experiencing this problem, to see if upgrading the Ubuntu docker client resolves the problem.

[ExperimentsInHonesty]

This ER will be resolved when someone makes an issue to add to the contributing.md file with instructions for how to find your version of Go

Fang says here #5647 (comment) Anything less than 1.20 has a problem.

[HackforLABot]

Hi @k-cardon, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[roslynwythe]

@ExperimentsInHonesty @k-cardon is interested in this issue. She has been waiting for a level 2 issue writing issue for good first issue but there are none of those so I thought this one would be a good choice for her.

[HackforLABot]

Hi @k-cardon, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[k-cardon]

Availability: usually evenings / weekends / Tuesday afternoons

ETA: within one week

[k-cardon]

@roslynwythe just an update that @ExperimentsInHonesty gave permission for me to work on this one!

[k-cardon]

I made the issue from this ER and it is ready for review:

• Update CONTRIBUTING.md Section 1.5.a #7642

[ExperimentsInHonesty]

@k-cardon Thank you for working on this. Your issue has been approved